Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep your dependencies in check

Keep your dependencies in check

If Log4Shell, Spring4Shell, etc. have taught us anything, it’s that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Luckily, there are plenty of tools that can help us with this, from package managers to bots that can automatically create changes on our repositories. Let’s go over some of the different options, so we can make informed choices about what’s best for us in a particular situation.

Marit van Dijk

November 08, 2023
Tweet

More Decks by Marit van Dijk

Other Decks in Programming

Transcript

  1. Keep your dependencies in check
    All Day DevOps on Tour: Malmö Edition - Nov 8, 2023
    https://maritvandijk.com/ @MaritvanDijk77

    View full-size slide

  2. @MaritvanDijk77

    View full-size slide

  3. @MaritvanDijk77

    View full-size slide

  4. @MaritvanDijk77

    View full-size slide

  5. @MaritvanDijk77

    View full-size slide

  6. Dec. 2021
    @MaritvanDijk77

    View full-size slide

  7. @MaritvanDijk77

    View full-size slide

  8. @MaritvanDijk77

    View full-size slide

  9. @MaritvanDijk77

    View full-size slide

  10. March 2022
    @MaritvanDijk77

    View full-size slide

  11. @MaritvanDijk77

    View full-size slide

  12. @MaritvanDijk77
    Do we
    need
    this
    dependency?
    https://maritvandijk.com/selecting-dependencies/

    View full-size slide

  13. @MaritvanDijk77
    https://www.sonatype.com/resources/log4j-vulnerability-resource-center

    View full-size slide

  14. No dependencies
    @MaritvanDijk77
    Maintain dependencies

    View full-size slide

  15. Maven
    • Overview of dependencies: `mvn dependency:tree`
    @MaritvanDijk77

    View full-size slide

  16. Maven
    • Check for updates: `mvn versions:display-dependency-updates`
    @MaritvanDijk77

    View full-size slide

  17. Maven
    • Check for updates: `mvn versions:display-dependency-updates`
    @MaritvanDijk77

    View full-size slide

  18. Maven
    • Analyze dependencies: `mvn dependency:analyze`
    @MaritvanDijk77

    View full-size slide

  19. Gradle
    • Overview of dependencies: `./gradlew dependencies`
    @MaritvanDijk77

    View full-size slide

  20. Gradle
    • Check for updates:
    • Add plugin, e.g. gradle-versions-plugin
    • Run `./gradlew dependencyUpdates`
    @MaritvanDijk77
    https://github.com/ben-manes/gradle-versions-plugin

    View full-size slide

  21. Gradle
    • Analyze dependencies
    • Add plugin (e.g. nebula)
    @MaritvanDijk77
    https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule

    View full-size slide

  22. Gradle
    • Analyze dependencies
    • Add plugin (e.g. nebula)
    • Run `./gradlew fixGradleLint`
    @MaritvanDijk77
    https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule

    View full-size slide

  23. IntelliJ IDEA: View Dependencies
    @MaritvanDijk77

    View full-size slide

  24. IntelliJ IDEA: View Dependencies
    @MaritvanDijk77

    View full-size slide

  25. IntelliJ IDEA: View Dependencies
    @MaritvanDijk77

    View full-size slide

  26. IntelliJ IDEA: View Dependencies
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/maven-projects-tool-window.html

    View full-size slide

  27. IntelliJ IDEA: View Dependencies
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/jetgradle-tool-window.html

    View full-size slide

  28. IntelliJ IDEA: Dependency Analyzer
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

    View full-size slide

  29. IntelliJ IDEA: Dependency Analyzer
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

    View full-size slide

  30. IntelliJ IDEA: Dependency Analyzer
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

    View full-size slide

  31. IntelliJ IDEA: Dependency Analyzer
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

    View full-size slide

  32. IntelliJ IDEA: Dependency Analyzer
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

    View full-size slide

  33. IntelliJ IDEA: Dependency Analyzer
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

    View full-size slide

  34. IntelliJ IDEA
    • Package Search: Add dependency
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-search.html

    View full-size slide

  35. IntelliJ IDEA
    • Package Search: Add dependency
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-search.html

    View full-size slide

  36. IntelliJ IDEA: Update dependencies
    • Context Actions (⌥ ⏎ or Alt+Enter)
    @MaritvanDijk77

    View full-size slide

  37. IntelliJ IDEA: Update dependencies
    • Hover
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-analysis.html

    View full-size slide

  38. IntelliJ IDEA
    • Dependencies tool window
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-search.html

    View full-size slide

  39. IntelliJ IDEA
    • Dependencies tool window (search)
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-search.html

    View full-size slide

  40. IntelliJ IDEA
    https://www.jetbrains.com/help/idea/package-analysis.html @MaritvanDijk77

    View full-size slide

  41. Pros & Cons
    + Check dependencies while working on the project
    - Check out each individual project
    - Apply & verify updates
    @MaritvanDijk77

    View full-size slide

  42. Software Composition Analysis (SCA)
    • Scan all repos (and containers)
    • Overview
    @MaritvanDijk77

    View full-size slide

  43. SCA: Pros & Cons
    + No need to check out repos individually
    - I have to check the dashboard
    - Apply & verify updates
    @MaritvanDijk77

    View full-size slide

  44. @MaritvanDijk77
    Bots
    • Dependabot
    • Renovate
    • Snyk Open Source

    View full-size slide

  45. Features
    @MaritvanDijk77
    Dependabot Renovate Snyk Open source
    Alerts Y
    Security Updates Y Y Y
    Version Updates Y (with extra config) Y Y
    Dashboard Y Y
    Check PRs for vulnerable
    dependencies
    Y
    Scan code for
    vulnerabilities
    Y

    View full-size slide

  46. Options
    @MaritvanDijk77
    Dependabot Renovate Snyk Open source
    Repos All All vs. selected only Public only vs.
    public & private
    (can disable for repo)
    Scheduling Daily / Weekly / Never Very detailed
    (presets, cron syntax, ..)
    Daily / Weekly / Never
    Info in PR Severity metrics Adoption rate
    % passing tests
    Confidence level
    Severity
    Breaking change
    Known Exploits
    Max. nr. of PRs Y (default 5) Y and concurrent branches New and/or known
    vulnerabilities
    Bundle updates in PR Y (with config) Y (by default)
    Rebase strategy Y Y TODO
    Rule-based automerge Y
    Check PRs Y

    View full-size slide

  47. Platforms
    @MaritvanDijk77
    Dependabot Renovate Snyk Open source
    GitHub native GitHub.com
    GitHub Enterprise Server
    GitHub
    GitHub Enterprise
    GitHub Read-only projects
    GitLab (with config) GitLab.com
    GitLab CE/EE
    GitLab
    Bitbucket Cloud
    Bitbucket Server
    Bitbucket Cloud Personal
    Access Token (Legacy)
    Bitbucket Cloud App
    Bitbucket Data Center/Server
    Azure DevOps Azure (TFS) Repos
    AWS CodeCommit
    Gitea and Forgejo

    View full-size slide

  48. Dependabot security alerts
    @MaritvanDijk77
    https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates

    View full-size slide

  49. Dependabot security updates
    @MaritvanDijk77
    https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates

    View full-size slide

  50. Renovate PR
    @MaritvanDijk77
    https://docs.renovatebot.com/merge-confidence/

    View full-size slide

  51. Renovate Dashboard: Project
    @MaritvanDijk77

    View full-size slide

  52. Snyk PR
    @MaritvanDijk77

    View full-size slide

  53. Snyk dashboard
    @MaritvanDijk77

    View full-size slide

  54. @MaritvanDijk77
    Bots
    • Dependabot
    • Renovate
    • Snyk Open Source

    View full-size slide

  55. Bots: Pros & Cons
    + Relatively easy to install
    + Automatic PR's
    - Can create "noise"
    - Manage PRs (merge & deploy)
    - Do NOT update your code (if needed)
    @MaritvanDijk77

    View full-size slide

  56. Migration tools
    @MaritvanDijk77

    View full-size slide

  57. IntelliJ IDEA
    • Refactor > Migrate Packages and Classes
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/migrate.html

    View full-size slide

  58. IntelliJ IDEA
    • Refactor > Migrate Packages and Classes >
    • Java EE to Jakarta EE
    • JUnit (4.x -> 5.0)
    • JavaFX (8 -> 9)
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/migrate.html

    View full-size slide

  59. IntelliJ IDEA
    • Create New Migration
    @MaritvanDijk77

    View full-size slide

  60. IntelliJ IDEA
    • Create New Migration
    @MaritvanDijk77

    View full-size slide

  61. Error Prone
    • Static analysis tool for Java to catch common programming mistakes
    at compile-time.
    • Maven, Gradle, etc.
    • IntelliJ IDEA / Eclipse plugin, Command line
    • Bug patterns
    • Report or fix
    • Custom checks
    • Includes Refaster: refactor code using before-and-after templates
    @MaritvanDijk77
    https://errorprone.info/

    View full-size slide

  62. Error Prone
    @MaritvanDijk77
    https://www.youtube.com/watch?v=NPuLeoIzIR0

    View full-size slide

  63. Error Prone Support
    @MaritvanDijk77
    https://error-prone.picnic.tech/

    View full-size slide

  64. OpenRewrite
    • Source code refactoring for framework/API migrations, vulnerability
    patches, and static code analysis fixes
    • Java, Kotlin & Groovy support
    • Maven/Gradle
    • Run without a build tool
    • Early support for Python, Typescript, ...
    @MaritvanDijk77
    https://docs.openrewrite.org/

    View full-size slide

  65. OpenRewrite
    • Existing recipes
    • Upgrade versions
    • Migrate libraries
    • Fix static analysis issues
    @MaritvanDijk77
    https://docs.openrewrite.org/running-recipes/popular-recipe-guides

    View full-size slide

  66. OpenRewrite
    • Existing recipes
    • Find by topic
    @MaritvanDijk77
    https://docs.openrewrite.org/reference/recipes

    View full-size slide

  67. OpenRewrite
    • Existing recipes
    • Can author your own recipes
    @MaritvanDijk77
    https://docs.openrewrite.org/

    View full-size slide

  68. OpenRewrite
    @MaritvanDijk77
    https://www.youtube.com/watch?v=jOFfCAleUI8

    View full-size slide

  69. Conclusion
    •(Re)evaluate dependencies carefully
    •Automate checks & updates
    •Stay safe!
    @MaritvanDijk77

    View full-size slide

  70. Slides & More
    https://maritvandijk.com/presentations/keep-your-dependencies-in-check/
    @MaritvanDijk77

    View full-size slide